Exetools  

Go Back   Exetools > General > Community Tools
Reload this Page TitanHide
Register Forum Rules FAQ Calendar Mark Forums Read

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 02-10-2014, 07:13
mcp mcp is offline
Friend
  
Join Date: Dec 2011
Posts: 73
Rept. Given: 4
Rept. Rcvd 12 Times in 11 Posts
Thanks Given: 7
Thanks Rcvd at 47 Times in 35 Posts
mcp Reputation: 12
@mr.exodia
If you want a more robust implementation, I would recommend that you let your driver determine the OS specific offset by itself, i.e. let it disassemble the kernel function PsGetProcessDebugPort. You could do that like this:
a) determine function boundaries, i.e. disassemble all instructions from start of the function until ret.
b) go backwards starting at ret until you find the first instruction that writes to eax/rax. The immediate in the source operand expression should be the offset you're looking for.
Reply With Quote
The Following User Gave Reputation+1 to mcp For This Useful Post:
mr.exodia (02-15-2014)
The Following User Says Thank You to mcp For This Useful Post:
b30wulf (08-17-2015)
Reply

Tags
driver, hiding, ssdt, titanhide, x64

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Hybrid Mode Hybrid Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


All times are GMT +8. The time now is 19:36.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )